Selected viruses, spyware, and other threats: sorted alphabetically
Short descriptionWin32/Delf.NGW installs a backdoor that can be controlled remotely. The file is run-time compressed using PECompact .
InstallationWhen executed the trojan copies itself in the following locations:
The trojan creates the following files:
In order to be executed on every system start, the trojan sets the following Registry entry:
- %windir%\kbdfi32.dll (26624 B)
- c:\ali.html (0 B)
The following Registry entries are created:
"Microsoft Windows Visual V2.0" = "%windir%\msiutil.exe"
The trojan runs the default Internet browser.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\Microsoft Windows Visual V2.0]
"StubPath" = "%windir%\msiutil.exe"
"Microsoft Windows Visual V2.0" = "%garbage_string%"
The trojan loads and injects the %windir%\kbdfi32.dll library into the following processes:
Other informationThe backdoor is sent data and commands from a remote computer or the Internet. The backdoor contains a list of (6) URLs.
It tries to download a file from the addresses. The HTTP protocol is used. The file is stored into the following folder:
If successful the following filename is used:
It can execute the following operations:
It can send various information about the infected computer to an attacker. The following information is collected:
- download files from a remote computer and/or Internet
- run executable files
- terminate running processes
- delete files
- user name
- operating system version
- malware version